bisibis@pt.lu (paul b) wrote in message news:<1f716d42.0403090731.4e183ec7@posting.google.com>...
> Hello,
> I am currently developping a "web single signon"-system and I am
> thinking about using Kerberos for this propose

> The goal is that a user has to identify itself once, using a
> X.509-certificate and that he has then access to a set of web-sites.
> In addition, I have an LDAP tree that could be used for managing the
> user rights.

x.509 has nothing to do with Kerberos. x.509 relates to PKI.

> I am not at 100% familiar with Kerberos, so I dont know if my idea
> works:
> I wanted to authenticate the user on the first connection using their
> certificate. Based on the certificate, it should be possible to get
> the user's Kerberos(username, REALM and password) information from the
> LDAP-tree and pass this information to the Kerberos Authentication
> server in order to get a ticket.

Sorry, I don't think this would work. Kerberos doesn't use x.509
certs. You are better off using http://modauthkerb.sourceforge.net and
authenticating directly against the KDC. Otherwise just use a straight
PKI implimentation using x.509 certs.

> Is this scenario possible and if yes, will it be transparent to the
> user(the best would be to authenticate the user only with its
> certificate, but one password popup could be tolerable ;-)) and not to
> hard to implement.

This scenario is not possible.

> As I understood, users must login manually to the Kerberos-system
> using Linux commands like "kinit",... and there is a lot of other
> command that have to be typed by the user. Is that really necessary or
> is it possible to "automize" this functions so that they are
> transparent to the user?

> Does kerberizing a web-site introduce big changes to the site itself,
> can I interface Kerberos with the original login-functions or how does
> this work??

No, but keberizing the rest of the architecture does.

> Perhaps someone can tell me if Kerberos is really a good solution for
> web-single signon(and fully transparent to end-users) or if there are
> more simple possiblities like for example installing a "reverse
> proxy"?

Generally when people use Kerberos it is because they have a existing
Kerberos infrastructure they are trying to preserve. MIT, and CMU are
great examples of this.
If you don't, and you just want to have single-sign on for web use
x.509. If you want to include CLI tools and the such then use
Kerberos.

> Could I, in later stages, also interface Kerberos with an SAP-server,
> Citrix,...

SAP, and Citrix I am pretty sure use Active Directory which uses a
form of Kerberos and LDAP. Otherwise they have had to been written to
use Kerberos. You can't just slap it on.

Re: Kerberos machine authentication - apparent authentication fail... >From what I can tell the kerberos failure shown in netdiag does not always ... mean that kerberos authentication is not being used. ... computer for logon events and the domain controller for account logon events ... > authenticate with K after initial failures. ...(microsoft.public.windows.server.security)